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Abstract 

In this paper, we focus on the synthesis of secure timed systems which are modelled as timed automata. The security 
property that the system must satisfy is a non-interference property. Intuitively, non-interference ensures the absence of any causal 
dependency from a high-level domain to a lower-level domain. Various notions of non-interference have been defined in the 
/■si ■ literature, and in this paper we focus on Strong Non-deterministic Non-interference (SNNI) and two (bi)simulation based variants 

thereof (CSNNI and BSNNI). We consider 

timed non-interference properties for timed systems specified by timed automata and we study the two following problems: 
^s^j , (1) check whether it is possible to find a sub-system so that it is non-interferent; if yes (2) compute a (largest) sub-system which 

is non-interferent. 

Index Terms 

Non-interference, Timed Automaton, Safety Timed Games, Control, Synthesis 
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I. Introduction 

Modern computing environments allow the use of programs that are sent or fetched from different sites. Such programs may 
deal with secret information such as private data (of a user) or classified data (of an organization). One of the basic concerns 
C/3 ■ in such a context is to ensure that the programs do not leak sensitive data to a third party, either maliciously or inadvertently. 
^ i ' This is often called secrecy. 

In an environment with two parties, information flow analysis defines secrecy as: "high-level information never flows into 
low-level channels". Such a definition is referred to as a non-interference property, and may capture any causal dependency 
between high-level and low-level behaviors. 
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00 ■ We assume that there are two users and the set of actions of the system S is partitioned into (high-level actions) and 
(low-level actions). The non-interference properties we focus on are strong non-deterministic non-interference (SNNI), 
cosimulation-based strong non-deterministic non-interference (CSNNI) and bisimulation-based strong non-deterministic non- 
interference (BSNNI). The non-interference verification problem, for a given system S, consists in checking whether S is non- 
interferent. It is worth noticing that non-interferent properties are out of the scope of the common safety/liveness classification 
of system properties (TJ. 

There is a large body of works on the use of static analysis techniques to guarantee information flow policies. A general 
overview can be found in (2]. Verification of information flow security properties Q~), can be applied to the analysis 
of cryptographic protocols where many uniform and concise characterizations of information flow security properties (e.g. 
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?H . confidentiality, authentication, non-repudiation or anonymity) in terms of non-interference have been proposed. For example, 
. . ■ the Needham-Schroeder protocol can be proved insecure by defining the security property using SNNI [4|, and other examples 
of the use of non-interference in computer systems and protocols for checking security properties can be found in [5 |, [6|, [7|, 

na 

In case a system is not non-interferent, it is interesting to investigate how and if it cam be rendered non-interferent. 

This is the scope of this paper where we consider the problem of synthesizing non-interferent timed systems. In contrast 
to verification, the non-interference synthesis problem assumes the system is open, i.e., we can restrict the behaviors of S: 
some events, from a particular set E c C E ; U E^, of S can be disabled. The non-interference control problem for a system S 
asks the following: "Is there a controller C s.t. C(S) is non-interferent?" where C(S) is "5 controlled by C". The associated 
synthesis problem asks to compute a witness controller C when one exists. 

As mentioned earlier, SNNI is expressive enough for example to prove that the Needham-Schroeder protocol is flawed [4|. 
Controller synthesis enables one to find automatically the patch(es) to apply to make such a protocol secure. The use of 
dense-time to model the system clearly gives a more accurate and realistic model for the system and a potential attacker that 
can measure time. 

Related Work. In [9 | the authors consider the complexity of many non-interference verification problems but synthesis is not 
addressed. In iflOl an exponential time decision procedure for checking whether a finite state system satisfies a given Basic 
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Security Predicate (BSP) is presented but the synthesis problem is not addressed. Recently supervisory control for opacity 
property has been studied in IfTTI . Ifl2ll . |[T3ll in the untimed setting. Opacity is undecidable for timed systems [14| and thus 
the associated control problem is undecidable as well. In |fl31 the controller synthesis problem for non-interference properties 
is addressed for untimed systems. In fl6l . supervisory control to enforce Intransitive non-interference for three level security 
systems is proposed in the untimed setting. 

The non-interference synthesis problem for dense-time systems specified by timed automata was first considered in [17]. 
The non-interference property considered in flTTl is the state non-interference property, which is less demanding than the one 
we consider here. This paper extends the results of |[T8ll about SNNI control problems for timed systems: Section [VI addresses 
the SNNI control problem for timed systems and is a detailed presentation of the result of [18| with proofs of the theorems 
that were unpublished. Sections Hill and ITVl are new and the latter provides a new result, Theorem [2] Section [Vll addresses the 
CSNNI and BSNNI control problems for timed systems and also contains new results: Theorems l9l [TOl [TTI and Propositions |4] 
and|5l 

Our Contribution. In this paper, we first exhibit a class dTA of timed automata for which the SNNI verification problem is 
decidable. The other main results are: (1) we prove that deciding whether there is a controller C for a timed automaton A 
such that (s.t. in the following) C(A) is SNNI, is decidable for the previous class dTA; (2) we reduce the SNNI controller 
synthesis problem to solving a sequence of safety timed games; (3) we show that there is not always a most permissive 
controller for CSNNI and BSNNI; (4) we prove that the control problem for CSNNI is decidable for the class dTA and that the 
CSNNI controller synthesis problem for dTA reduces to the SNNI controller synthesis problem. We also give the theoretical 
complexities of these problems. 

Organization of the paper. Section [TT] recalls the basics of timed automata, timed languages and some results on safety 
timed games. Section Hill gives the definition of the non-interference properties we are interested in. Section HVl addresses the 
verification of non-interference properties in the timed setting. Section [Vj gives the definition of the non-interference synthesis 
problem and presents the main result: we show that there is a largest subsystem which is SNNI and this subsystem is effectively 
computable. Section |VI] addresses the control problem and controller synthesis problem for CSNNI and BSNNI properties. 
Finally, we conclude in Section IVIII 

II. Preliminaries 

Let R + be the set of non-negative reals and N the set of integers. Let X be a finite set of positive real-valued variables 
called clocks. A valuation of the variables in X is a function X — > R+, that can be written as a vector of R_f . We let Ox be 
the valuation s.t. Ox(x) — for each x G X and use when X is clear from the context. Given a valuation v and R C X, 
v[R h- > 0] is the valuation s.t. v[R M> 0](x) = v(x) if x $ R and otherwise. An atomic constraint (over X) is of the form 
x \x c, with x G X, txiG {<, <, =, >, >} and c G N. A (convex) formula is a conjunction of atomic constraints. C(X) is the 
set of convex formulas. Given a valuation v (over X) and a formula 7 over X, -f(v) is the truth value, in B = {true, false}, 
of 7 when each symbol x in 7 is replaced by v(x). If t G R + , we let v + 1 be the valuation s.t. (v + t)(x) = v(x) + 1. We let 
|V| be the cardinality of the set V. 

Let E be a finite set, e g" E and E e = E U {e}. A timed word w over E is a sequence w — (So, ao)(#i, ai) • • • (S n , a n ) 
s.t. (5i,a,i) G R+ x E for < i < n where Si represents the amount of time elapsecu between a,_i and a,;. TE* is the set 
of timed words over E. We denote by uv the concatenation of two timed words u and v. As usual e is also the empty word 
s.t. (S\, e)(#2> a) = (Si + $2,0): this means that language-wise, we can always eliminate the e action by taking into account 
its time interval in the next visible action. Given a timed word w G TE* and L C E the projection of w over L is denoted 
by proj L (u)) and is defined by proj L (u;) = (So, bo)(Si, 61) • • • (S n ,b n ) with &j = at if a, G L and 6j = e otherwise. The 
untimed projection of w, Untimed(w), is the word aocti • • • a„ of E*. 

A timed language is a subset of TE*. Let L be a timed language, the untimed language of L is Untimed(L) = {v G 
E* I 3w G L s.t. v — Untimed(w)}. 

Definition 1 (Timed Transition System (TTS)). A timed transition system (TTS) is a tuple S = (Q, qo, E e , — >) where Q is a 
set of states, qo is the initial state, E a finite alphabet of actions, ->C Q x S £ U M+ x Q is the transition relation. We use the 
notation q q' if (q, e, q') G— h Moreover, TTS should satisfy the classical time-related conditions where d, d' G R>o-' i) time 

determinism: (q A q') A (q A- q") => (q 1 = q"), ii) time additivity: (q A q') A (q' — > q") => (q d+d > q"), Hi) null delay: 

Vq : q q, and iv) time continuity: (q — > q') => (Vrf' < d, 3q", q — > q"). 

A run p of S from go is a finite sequence of transitions p = qo — ^> q\ — ^> • • • — ^ q n s.t. (cfo, e^, qi+i) G— > for < i < n— 1. 
We denote by last(p) the last state of the sequence i.e., the state q n . We let Runs(q,S) be the set of runs from q in S and 
Runs(S) = Runs(qo,S). We write q =^=> q' if there is a run q -^-^ ■ ■ ■ —> q' from q to q' i.e., =^=> = (—->■)*. Given 

CI dcf & CL £ ^ 

a G E U R+, we define = We write qo — > q n if there is a run from qo to q n . The set of reachable states 

1 For i = this is the amount of time since the system started. 
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in Runs(S) is Reach{S) — {q | qo — > q}- Each run can be written in a normal form where delay and discrete transitions 
alternate i.e., p = qo — q\ 1 > ei > • • • q n +i — > q' n +\- The frace of p is trace(p) = (8q, eo)(S\, ei) • • • (<5„, e n ). 

Definition 2 (Timed automata (TA)). A timed automaton (TA) is a tuple A — (Q, qo, X, E £ , E, Inv) where: qo G Q is the 
initial location; X is a finite set of positive real-valued clocks; E £ is a finite set of actions; E C Q x C(X) x E e x 2 X x Q 
is a finite set of edges. An edge (g, 7, a, i2, g') goes from q to q', with the guard 7 6 C(X), the action a and the reset set 
R C X; Inv : Q — > C(X) w a function that assigns an invariant to any location; we require that the atomic formulas of an 
invariant are of the form x cxi c with CxiG {<, <}. 

A finite (or untimed) automaton A — (Q, qo, S e , E) is a special kind of timed automaton with X = 0, and consequently all 
the guards and invariants are vacuously true. A timed automaton A is deterministic if for (<?i, 7, a, R, 02), (<Zi, 7', a, -R', (Z2) £ 
£7,7 A 7' 7^ false 52 = a 2 an <^ -R — We recall that timed automata cannot always be determinized (i.e., find a 
deterministic TA which accepts the same language as a non-deterministic one, see |fl9ll ), and moreover, checking whether a 
timed automaton is determinizable is undecidable |20| . 

Definition 3 (Semantics of Timed automata). The semantics of a timed automaton A = (Q,qo,X, S £ ,E,Inv) is the TTS 
S A = (S, sq, S £ , — >) with S — Q x (R + ) x , sq = (qo , 0), and — > defined as follows: 



j(v) = true 

(q, v) A- (q', v') iff 3(q,^,a,R,q') G E such that I v' = v[R i-f Q] 



Inv(q')(v') = true 



Kl-<')^(q,v') iff I W,0<6'<5, 



Inv(q)(v + 5') = true 

If s — (q, v) is a state of S A , we denote by s + 5 the (only) state reached after 5 time units, i.e., s + S = (q,v + S). The sets 
of runs of A is defined as Runs(A) = Runs(S A ) where S A is the semantics of A. A timed word w £ T£* is generated by A 
if w = trace(p) for some p G /?m«s(j4). The timed language generated by A, C(A), is the set of timed words generated by A. 

Definition 4 (Language equivalence). Two automata A and B are language equivalent, denoted by A B, if C(A) = C(B) 
i.e., they generate the same set of timed words. 

Definition 5 (Simulation). Let T\ = (Si, sj, S e , — 7i = (5*2, Sq, S £ ,— ^2) ^ e ftra TTS. Let TZ C Si X S? be a relation 
s.t. TZ is total for 1S2. 7?- is a weak simulation of T2 by 71 (j^' 

1) sjftag, 

2) V(s,p) G Si x 1S2, smc/z f/iaf s7^p: 

* If p =>2 p' then 3s' such that s => x s' and s'TZp', 

• Va G £ U R+, ;/p =^2 p' then 3s' such that s4i s' and s'TZp'. 

71 weakly simulates T2 if there exists a weak simulation TZ of T2 by T\ and we note 7i Ew Ti- Let A\ and A2 be two timed 
automata, we say that A\ weakly simulates A2 if the semantics of A\ weakly simulates the semantics of A2, and we note 
A x Ew A 2 . 

Definition 6 (Cosimulation). Two timed automata A\ and A2 are co-similar iff A\ C w A2 and A2 Eyy A\. We note 
Ai ~cw A 2 

Definition 7 (Bisimulation). Two timed automata A\ and A2 are bisimilar iff there exists a simulation TZ of A2 by A\ such 
that TZ^ 1 is a weak simulation of A\ by A2- We note A\ «yy A2. 

Note that when no e transition exists, we obtain strong versions of similarity and bisimilarity. 

Definition 8 (Product of timed automata). Let A\ — (Q\, qoi, X\, E e , E\, Inv\) and A2 = (Q2,qo2,X2,^ e ,E2,Inv2) 
be two TA with Xi n X2 = 0. Let S a C S. The synchronized product of A\ and A2 w.r.t. E a , is the timed automaton 
A\ Xs a A2 = (Qi x Q2, (qoi, Q02), X\ U X2, S e , E, Inv) where E is defined as follows: 

92), 7i A 72, a, Ri U R2,(q[,q' 2 )) G E if a G S Q , (qi, 71, a, R x , q[) G Ei and (q 2 , 72, a, R 2 , q' 2 ) G £" 2 ; 

(qi,j,a,R,q[) G E x and q' 2 = q 2 
or (q 2 , 7, a, R, q' 2 ) G E 2 and q[ = q\ 



• {{qi,(l2),l,a,R, (q'i,q' 2 )) E E if a G S \ S a and 
and where Inv((q\,q2)) = Inv\(qi) A InV2(02)- 



It means that synchronization occurs only for actions in E Q . When it is clear from the context we omit the subscript S a in 
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Moreover, in the sequel we will use two operators on TA: the first one gives an abstracted automaton and simply hides a set 
of labels LCE. Given a TA A = (Q, q , X, £ e , E, Inv) and L C £ we define the TA A/L = (Q, q , X, (£\£) £ , E L , Inv) 
where (g, 7, a, R, q') £ E L (q,j,a,R,q / ) e £ for a £ £\L and (<?, 7, e, R, q') £ E L (9, 7, a, R,q') £ E for 

a £ LU {e}. The restricted automaton cuts transitions labeled by the letters in L C £: Given a TA A = (Q, qo, X, £, E 1 , 7n«) 
and L C £ we define the TA A\L = (Q,q ,X,T,\L,E L ,Inv) where (q,-f,a,R,q') £ E L (q,-f,a,R,q r ) £ E for 

a £ £\i. 

We will also use some results on safety control for timed games which have been introduced and solved in ll2"D . 

Definition 9 (Timed Game Automaton (TGA)). A Timed Game Automaton (TGA) A = (Q, qo, X, £, E, Inv) is a timed 
automaton with its set of actions £ partitioned into controllable f£ c J and uncontrollable (£tj actions. 

Let A be a TGA and Bad CQx be the set of bad states to avoid. Bad can be written Ui<;<fc(£i, Zi), with each Zi 
defined as a conjunction of formulas of C{X) and each £i £ Q . The safety control problem for {A, Bad) is: decide whether 
there is a controller to constantly avoid Bad. Let A be a fresh special symbol not in £ £ denoting the action "do nothing". 

A controller C for A is a partial function from Runs(A) to 2 ScLJ { A J\ We require that Vp £ Runs(A), if a £ C(p) l~l £ c then 
last(p) (q',v') for some (q',v') and if A £ C(p) then last(p) (q',v') for some S > 0. A controller C is state-based or 
memoryless whenever Vp, p' £ Runs(A) , last(p) — last(p') implies that C(p) — C(p'). 

Remark 1. We assume a controller gives a set of actions that are enabled which differs from standard definitions [21] where 
a controller only gives one action. Nevertheless for safety timed games, one computes a most permissive controller (if there 
is one) which gives for each state the largest set of actions which are safe. It follows that any reasonable (e.g., Non-Zeno) 
sub-controller of this most permissive controller avoids the set of bad states. 

C(A) defines "A supervised/restricted by C" and is inductively defined by its set of runs: 
. (g , 6) £ Runs{C(A)), 

• if p £ Runs(C (A)) and p s' £ Runs(A), then p — s' £ Runs(C (A)) if one of the following three conditions holds: 

1) ee£ M , 

2) e € £ c n C{p), 

3) e£R+ and V<5 s.t. < S < e, last(p) last(p) + 6 A A £ C(p last(p) + S). 

C(A) can also be viewed as a TTS where each state is a run of A and the transitions are given by the previous definition. C 
is a winning controller for (A, Bad) if Reach(C(A)) n Bad = 0. For safety timed games, the results are the following ||2TI . 
(33|: ' 

• it is (EXPTIME-complete to decide whether there is a winning controller for a safety game (A, Bad); 

• in case there is one, there is a most permissive controller which is memoryless on the region graph of the TGA A. This 
most permissive controller can be represented by a TA. This also means that the set of runs of C(A) is itself the semantics 
of a timed automaton, that can be effectively built from A. 

III. Formal Definitions of Non-Interference Properties 

In the sequel, we will consider Timed Automata defined on an set of actions £ = £j U £^ with £; n £^ = 0, where £^ 
are the high level actions and £; the low level actions. In order to define the different classes of non interference properties 
on an automaton A, we are going to compare A\T,h and A/Y^h w.r.t. different criteria. 

A. Strong Non-Deterministic Non-interference ( SNNI) 

The property Strong Non-Deterministic Non-interference (SNNI) has been introduced by Focardi and Gorrieri in [ 1 1 as a 
trace-based generalization of non-interference for concurrent systems. SNNI has been extended to timed models in ifTTl . 

Definition 10. A timed automaton A is SNNI iff A\Sh ~c A/T,h 

Since finite automata are timed automata with no clocks, the definition also applies to finite automata. 
Moreover, as £(A\£/j) C C(A/T,f l ), we can give a simple characterization of the SNNI property: 

Proposition 1. A timed automaton A is SNNI iff £(A/£^) C C(A\Y,h). 

Example 1. Let us consider the automaton A a of figure \l(a)\ with £^ = {h} and £; = {£}. This automaton is not SNNI, 
because C(A\Sh) = e whereas C(A/Hh) = & ■ The automaton At is SNNI. 

As demonstrated by the following examples [2] and [3] a timed automaton A can be non SNNI whereas its untimed underlying 
automaton is SNNI and A can be SNNI whereas its untimed underlying automaton is not. 

Example 2. Let us consider the timed automaton A g of figure \2(a)\ with £^ = {h} and £; = {£}. It is not SNNI since (2.5, £) 
is accepted by A g /Y,h but not by A g \£^. Its untimed underlying automaton Ah is SNNI since C(Ah\Y<h) = {£} — £(j4/i/£/»). 
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(a) A a is not SNNI 
Fig. 1 . Examples for the SNNI property 
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(b) A b is SNNI 
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(a) ^Ig, a non SNNI timed au- (b) A h , the SNNI untimed au- 
tomaton tomaton associated to A g 

Fig. 2. A non SNNI timed automaton and its untimed underlying automaton which is SNNI 



Example 3. Let us consider the timed automaton Aj of figure \3(aj\ with £/j = {h} et = {^1,^2}- It is SNNI, since 
C(Aj\T,h) = Its untimed underlying automaton A k is not SNNI since i\ ■ £2 is accepted by A^/Yih but not by 

A k \£ h . 

Example 4 (SNNI). Figure^gives examples of systems A(k) which are SNNI and not SNNI depending on the value of integer 
k. The high-level actions are = {h} and the low-level actions are = {/}. (5,1) with 1 < 8 < 2 is a trace of A(l)/T,h 
but not of A(l)\S h and so, A(l) is not SNNI. A(2) is SNNI as we can see that A(2)/Y, h w £ A(2)\S^. 

Finally since SNNI is based on language equivalence, we have the following lemma: 

Lemma 1. // A' w £ A, then A is SNNI <=> A' is SNNI. 

Proof: First C(A/E h ) = proj Si (C(A)) = proj El (C(A')) = C(A' '/£/,). Second, C{A\E h ) = £{A) n TS* = C(A') n 
T£ ; * = C(A'\E h ). 

■ 

B. Cosimulation Strong Non-Deterministic Non-interference ( CSNNI) 

The Cosimulation Strong Non-Deterministic Non-interference (CSNNI) property has been introduced in ifTTl . and is based 
on cosimulation. 
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(a) Aj, a SNNI timed automaton 
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(b) Aj., the non SNNI untimed automaton associated to 



Fig. 3. A SNNI timed automaton and its untimed underlying automaton which is non SNNI. 
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Fig. 4. Automaton A(k) 
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(a) A c , a SNNI but not CSNNI automaton 
Fig. 5. CSNNI is stronger than SNNI 
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Definition 11. A f/merf automaton A is CSNNI iff A\Y>h ~cw A/Hh- 

Since A/Y,h C w A\Sh, we can give a simple characterization of CSNNI: 
Proposition 2. A fi'meo? Automaton A is CSNNI iff A\E h C w A/Hh- 

By restricting the class of timed automata considered, we obtain the following result. 

Example 5. Let us consider the automaton A c of figure \5(a)\ with E/ t = {h} and E; = {^1,^2,^3}- A c is SNNI but is not 
CSNNI, because no state of A c \Y*i can simulate the state q$. The automaton Ad of figure \5(a)\ is CSNNI. The state qi of 
Ad\^i simulates the states q§ and q§. 

We complete this subsection by comparing SNNI and CSNNI. Given two timed automata A\,A2, A\ Cyy A2 implies 
£{M) C C(Ai). CSNNI is thus stronger than SNNI as for each timed automaton A, A\E h C w A/E;, implies £(A./E ft ) C 
C(A\E h ). 

The converse holds when A\Eh is deterministic: 

Lemma 2. If A\E/, is deterministic, then A is SNNI implies A is CSNNI. 

Proof: As emphasized before, given two timed automata A±,A2, A\ Cyv A2 implies £(^2) C C{A\). If A\ is 
deterministic, then L{A?) C C(Ai) implies A\ Cyy A^. To obtain the result it suffices to take A\ = A\S^ and A2 — A/Hh- 



C. Bisimulation Strong Non-Deterministic Non-interference (BSNNI) 

The Bisimulation Strong Non-Deterministic Non-interference (BSNNI) property has been introduced in [ 1 1 and is based on 
bisimulation. 

Definition 12. A timed automaton A is BSNNI iff A\Eh ~w A/Eh 

The automaton Af of figure [6(b)] is BSNNI. Bisimulation is stronger than cosimulation and we have for all timed automaton 
A, if A is BSNNI then A is CSNNI (and thus A is SNNI). 

As the following example demonstrates, there exists an automaton which is CSNNI and not BSNNI. 

Example 6. Let us consider the automaton A e of figure \6(a)\ with E/j = {h} et E; = {£}. This automaton is deterministic 
and SNNI, and therefore by lemma [3] it is CSNNI. However, it is not BSNNI, since the state 52 of A e \^h has no bisimilar 
state in A e \Eh- 

IV. Verification of Non-Interference Properties for Timed Automata 
In this section we settle the complexity of non-interference verification problems for timed automata. 
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(a) A e , a CSNNI but not (b) A f , a BSNNI automaton 
BSNNI automaton 



Fig. 6. BSNNI is stronger than CSNNI 




A. SNNI verification 

The SNNI verification problem (SNNI- VP), asks to check whether a system A is SNNI. 

For timed automata, this problem has been proved to be undecidable in [17] and the proof is based on the fact that 
language containment for TA is undecidable [19|. However, if we consider the subclass of timed automata A such that A\T,h 
is deterministic, then the problem becomes decidable. In the sequel, we called dTA the class of timed automata A such that 
A\T,h is deterministic. 

Theorem 1. The SNNI-VP is PSPACE-complete for dTA. 

Proof: Let Ai and A 2 be two timed automata. Checking whether C(A 2 ) Q £(^1) with A\ a deterministic TA is PSPACE- 
complete 11191 . Checking C(A/Hh) <~= ^-(A\Eh) can thus be done is PSPACE if A\J^h is deterministic. Using Proposition Q] 
it follows that SNNI-VP is PSPACE-easy for dTA. 

For PSPACE-hardness, we reduce the language inclusion problem C(A 2 ) ^= £(Ai), with Ai a deterministic TA, to the SNNI- 
VP. Let Ax = (Qi,qoi,Xi,Yi, Ei,Inv{) be a deterministic TA and A 2 = (Q 2 , 902, X 2 , £, E 2 , Inv 2 ) a TAB We let h £ S be 
a fresh letter, x ^ XiU X 2 be, a fresh clock and define A 12 = ({<&} U Qi U Q 2 , qoi, Xi U X 2 U {x}, E £ U {h}, E 12 , Invi 2 ) 
be the timed automaton defined (as shown in figure IT) as follows: 

• the transition relation E\ 2 contains E\ U E 2 and the additional transitions (gj 2 , true, h, 0, qo 2 ) and (q® 2 , true, e, 0, qoi); 

• Inv\ 2 {q) = Invi{q) if q g Qi, i g {1, 2}, and Invi 2 (q < l 2 ) = [x < 0]. 

We let S ; = E and E/, = {/i}. We prove that A i2 is SNNI iff £(A 2 ) C £(Ai). This is easily established as: 

A 12 is SNNI iff £{A 12 /T, h ) C £(A 12 \E /s ) [Proposition [Q 

iff £(Ai)U£(A 2 ) C£(Ax) 
iff C(A 2 ) C 

Thus the SNNI-VP is PSPACE-complete for dTA. ■ 

2 We assume that Qi n Q2 = and Ii n X2 = 0- 
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For non-deterministic finite automata A\ and A 2 , checking language inclusion C{A\) C C(A 2 ) is PSPACE-complete [23|. 
Then, using the same proof with A\ being a non deterministic finite automaton, It follows that: 

Corollary 1. The SNNI-VP is PSPACE-complete for non-deterministic finite automata. 

Moreover, when A2 is a deterministic finite automaton, language containment can be checked in PTIME and thus we have 
the following corollary: 

Corollary 2. For finite automata belonging to dTA, the SNNI-VP is PTIME. 
The table U summarizes the results on the complexity of the SNNI-VP. 





Timed Automata 


Finite Automata 


A\Sf l is deterministic (dTA) 


PSPACE-complete (Theorem [JJ 


PTIME (Corollary [2) 


General Case 


Undecidable |17] 


PSPACE-complete (Corollary U) 



TABLE I 
Complexity if SNNI-VP 



B. Verification of CSNNI and BSNNI properties 

BSNNI-VP and CSNNI- VP are decidable for timed automata [17] since simulation and bisimulation are decidable. For finite 
automata, the complexity of BSNNI-VP and CSNNI- VP is known to be PTIME [131. We settle here the complexity of those 
problems for timed automata. 

Theorem 2. The CSNNI-VP and BSNNI-VP are EXPTIME-complete for Timed Automata. 

Proof: Strong timed bisimilarity and simulation pre-order are both EXPTIME-complete for timed automata. The EXPTIME- 
hardness is established in [24] where it is shown that any relation between simulation pre-order and bisimilarity is EXPTIME- 
hard for Timed Automata. 

The EXPTIME-easiness for strong timed bisimulation was established in 11251 and for simulation pre-order in [26]. 
To establish EXPTIME-completeness for CSNNI-VP and BSNNI-VP, we show that these problems are equivalent to their 
counterparts for timed automata. 

To do this, we use the automata A-y, A2 and A± 2 already defined in the proof of Theorem Q] 
We show that: A± simulates A 2 iff A i2 is CSNNI. 

Assume A\ simulates A 2 . There exists a relation TZ s.t. : 1) (qoi,0x 1 )TZ(qoi,0x 1 ) and 2) for each state {s 2 ,x 2 ), there 

exists (si,x[) s.t. (s 2 ,x~ 2 )'R-(si,x~i), and whenever (s 2 ,x 2 ) > {s' 2 ,x^ 2 ) for a £ S U R+, then (si,x[) > {s'±,x~i ) and 

(s' 2 ,x 2 )TZ(s[,xl'). 

We define a relation TZ' for each (£, x~ix~2x) of A-^/Yi^ to a state {£' , x~[ x 2 x') of Aj^X/j as follows: 

• if £= q\ 2 then (£, x\x 2 x)TZ' {£, xx'x 2 'x'); 

• if £ £ Qi, then (£, xix 2 x)TZ'(£, x\x 2 x')\ 

. if £ € Q 2 , then {£, xix 2 x)K'{£', x{'£ 2 x') iff (£, x 2 )TZ{£' , x[); 
TZ' is a simulation of Ai 2 /^h by Ai2\^h- 

• the initial states of the two TA are in relation; 

• assume (s, xix^x) -—^A 12 /^ h ( s> \ x~\ x 2 x'); If s £ {<?i 2 } U Q\ then clearly it is simulated by the same state in A\2\Y*h 
. Otherwise, if s £ Q2, then there exists a state (£', X\X 2 x') in Ai 2 \Tjh s.t. (s, x\x 2 x)TZ' {s' , x[ x 2 x'): by definition of 
TZ' we can take any (s',x~i x~2 x') with (s,x 2 )TZ(s l ,xi ). It is easy to see that because A\ can simulate A2 from there 
on, TZ' is indeed a simulation relation. Thus ^^/X^ and A\2\Tjh are co-similar by Proposition [2] 

Now assume conversely that there is a simulation TZ' of Ai 2 /^h by ^4i2\S/j. We can define a simulation relation of A2 
by A\ as follows: each state (s,x\x2x) with s £ Q2 of A^fEh is simulated by a state (s',x[ x~2 x') with s' £ Q\. We then 
define TZ by (s, x 2 )TZ{s' , x\ ). Again it is easy to see that TZ is a simulation relation. 

It follows that CSNNI is EXPTIME-complete. 

Now assume that A\ and A2 are bisimilar. We can define the relation TZ' exactly as above and this time it is a weak 
bisimulation between A\2\Lh and A^ITak- 

If A\2 is BSNNI, the bisimulation relation TZ' between Ai2\Sh and A^/^h induces a bisimulation relation TZ between 
A\ and A2: it suffices to build TZ as the restriction of TZ! between states with a discrete component in Q\ and a discrete 
component in Q2- 

As checking bisimulation between TA is also EXPTIME-complete, the EXPTIME-completeness of BSNNI-VP for TA 
follows. 

■ 

The table [II] summarize the results on the verification of the CSNNI and BSNNI properties. 
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Timed Automata 


Finite Automata 


CSNNI-VP 


EXPTIME-C (Theorem |2) 


PTIME 1 15 


BSNNI-VP 


EXPTIME-C (Theorem [2) 


PTIME [15] 



TABLE II 

Results for CSNNI-VP and BSNNI-VP 
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Fig. 8. Automaton D 



V. The SNNI Control Problem 

The previous non-interference verification problem, consists in checking whether an automaton A has the non-interference 
property. If the answer is "no", one has to investigate why the non-interference property is not true, modify A and check the 
property again. In contrast to the verification problem, the synthesis problem indicates whether there is a way of restricting the 
behavior of users to ensure a given property. Thus we consider that only some actions in the set E c , with E c C E h US|, are 
controllable and can be disabled. We let E u — E \ E c denote the actions that are uncontrollable and thus cannot be disabled. 
Note that, contrary to [ 15], we release the constraint E c = E/j. The motivations for this work are many fold. Releasing E c = E^ 
is interesting in practice because it enables one to specify that an action from cannot be disabled (a service must be given), 
while some actions of E; can be disabled. We can view actions of E; as capabilities of the low-level user {e.g., pressing a 
button), and it thus makes sense to prevent the user from using the button for instance by disabling/hiding it temporarily. 

Recall that a controller C for A gives for each run p of A the set C(p) £ 2 ScU ^ of actions that are enabled after this 
particular run. The SNNl-Control Problem (SNNI-CP) we are interested in is the following: 

Is there a controller C s.t. C(A) is SNNI ? (SNNI-CP) 

The SNNl-Controller Synthesis Problem (SNNI-CSP) asks to compute a witness when the answer to the SNNI-CP is "yes". 

A. Preliminary Remarks 

First we motivate our definition of controllers which are mappings from Runs(A) to 2 S <= U { A >. The common definition of a 
controller in the literature is a mapping from Runs(A) to E c U {A}. Indeed, for the safety (or reachability) control problem, 
one can compute a mapping M : Runs(A) — > 2 S<:U ^ A ^ (most permissive controller), and a controller C ensures the safety goal 
iff C(p) € M(p). This implies that any sub-controller of M is a good controller. This is not the case for SNNI, even for finite 
automata, as the following example shows. 

Example 7. Let us consider the automaton D of Figure \E\ with E c = {a, h}. The largest sub-system of D which is SNNI is 
D itself. Disabling a from state will result in an automaton which is not SNNI. 

We are thus interested in computing the largest (if there is such) sub-system of A that we can control which is SNNI. Second, 
in our definition we allow a controller to forbid any controllable action. In contrast, in the literature, a controller should ensure 
some liveness and never block the system. In the context of security property, it makes sense to disable everything if the 
security policy cannot be enforced otherwise. This makes the SNNI-CP easy for finite automata. 

B. SNNI-VP versus SNNI-CP 

SNNI-CP is harder than SNNI-VP since SNNI-VP reduces to SNNI-CP by taking E c = 0. Note that this is not true if we 
restrict to the subclass of control where E c = E^. Indeed, in this case SNNI-CP is always true (and then decidable) since the 
controller which forbid all controllable transitions make the system SNNI. 

We then have the following theorem: 

Theorem 3. For general Timed Automata, SNNI-CP and SNNI-CSP are undecidable. 

Proof: SNNI-CP obviously reduces to SNNI-CSP. SNNI-VP reduces to SNNI-CP by taking E c 
undecidable for non-deterministic Timed Automata. 

We will now show that SNNI-CP reduces to the SNNI-VP for finite automata. 



= 0. SNNI-VP is 
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Fig. 9. The Automaton H 

Theorem 4. For finite automata, the SNNI-CP is PSPACE-Complete. 

Proof: The proof consists in proving that if a finite automaton can be restricted to be SNNI, then disabling all the E c 
actions is a solution. Thus the SNNI-CP reduces to the SNNI- VP and the result follows. 

As time is not taken into account in untimed automaton, we can have C(p) — for finite automaton (for general timed 
automaton, this would mean that we block the time.) The proof of the theorem consists in proving that if a finite automaton 
can be restricted to be SNNI, then disabling all the E c actions is a solution. Let Cy be the controller defined by Cv(p) = 0. 
We prove the following: if C is a controller s.t. C(A) is SNNI, then Cy(A) is SNNI. 

Assume a finite automaton D is SNNI. Let e G E^ U E/ and let £ e be the set of words containing at least one e. Depending 
on the type of e we have: 

. if e G then £((D\{e})\E h ) = £(D\Z h )\£ e and as D is SNNI, it is also equal to £(D/T, h )\£ e = £((D\{e})fE h ); 

. if e G S ft , £((D\{e})/E h ) C £{D/E h ) = £{D\S h ) = £((D\{e})\Z h ). 
So, if D is SNNI, D\L is SNNI, VL C E. Since £(CV(D)) = £(£>\E C ), if L> is SNNI, then £>\E C is also SNNI and therefore 
Cy(D) is SNNI. 

Let A be the TA we want to restrict. Assume there is a controller C s.t. C{A) is SNNI. Cy(C(A)) is SNNI so Cy(C(A)) = 
C y (A) is also SNNI which means that A\E C is SNNI. This proves that: 3C s.t. C{A) is SNNI A\E C is SNNI. 

It is then equivalent to check that A\E C is SNNI to solve the SNNI-CP for A and this can be done in PSPACE. PSPACE- 
hardness comes from the reduction of SNNI- VP to SNNI-CP, by taking E c = 0. 

■ 

Moreover since the SNNI-CP reduces to the SNNI- VP for finite automata, and from corollary [2] we have the following 
result: 

Corollary 3. For finite automata belonging to dTA, the SNNI-CP is PTIME. 

We will now show that Theorem [4] does not hold for timed automata as the following example demonstrates. 

Example 8. Figure [9] gives an example of a timed automaton H with high-level actions E^ = {h} and low-level actions 
E ; = {a, b}. 

Assume E c = {a}. Notice that H\H C is not SNNI. Let the state based controller C be defined by: C(0,x) — {a. A} when H 
is in state (0,x) with x < 4; and C(0,x) — {a} when x = 4. Then C(H) is SNNI. In this example, when x — 4 we prevent 
time from elapsing by forcing the firing of a which indirectly disables action h. To do this we just have to add an invariant 
[x < 4] to location of H and this cuts out the dashed transitions rendering C(H) SNNI. 

C. Algorithms for SNNI-CP and SNNI-CSP 

In this section we first prove that the SNNI-CP is EXPTIME-hard for dTA. Then we give an EXPTIME algorithm to solve 
the SNNI-CP and SNNI-CSP. 

Theorem 5. For dTA, the SNNI-CP is EXPTIME-Hard. 

Proof: The safety control problem for TA is EXPTIME-hard l27l . In the proof of this theorem, TA. Henzinger and 
PW. Kopke use timed automata where the controller chooses an action and the environment resolves non-determinism. The 
hardness proof reduces the halting problem for alternating Turing Machines using polynomial space to a safety control problem. 
In our framework, we use TA with controllable and uncontrollable actions. It is not difficult to adapt the hardness proof of l27l 
to TA which are deterministic w.r.t. E c actions and non deterministic w.r.t. E u actions. As E u transitions can never be disabled 
(they act only as spoiling actions), we can use a different label for each uncontrollable transition without altering the result in 
our definition of the safety control problem. Hence: the safety control problem as defined in section [TT] is EXPTIME-hard for 
deterministic TA (with controllable and uncontrollable transitions). This problem can be reduced to the safety control problem 
of TA with only one state bad. We can now reduce the safety control problem for deterministic TA which is EXPTIME-hard 
to the SNNI control problem on dTA. Let A = (Q U {bad},q 0l X, E c U T, U ,E, Inv) be a TGA, with E c (resp. E n ) the set 
of controllable (resp. uncontrollable) actions, and bad a location to avoid. We define A 1 by adding to A two uncontrollable 
transitions: (bad, true, h, 0, qt) and (g^,true, I, 0, qi) where qh and qi are fresh locations with invariant true. I and h are 
two fresh uncontrollable actions in A' . We now define E^ = {h} and E; = E c U E„ U {1} for A! . By definition of A', for 
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any controller C, if location Bad is not reachable in C(A'), then the actions h and then I can not be fired. Thus if there is 
controller for C for A which avoids Bad, the same controller C renders A' SNNI. Now if there is a controller C s.t. C'(A') 
is SNNI, it must never enable h: otherwise a (untimed) word w.h.l would be in Untimed(C(C (A') /E/j)) but as no untimed 
word containing an I can be in Untimed(C(C (A')\Eh)), and thus C'(A') would not be SNNI. Notice that it does not matter 
whether we require the controllers to be non blocking (mappings from Runs(A) to 2 ScU ^ A ^ \ 0) or not as the reduction holds 
in any case. ■ 

To compute the most permissive controller (and we will also prove there is one), we build a safety game and solve a safety 
control problem. It may be necessary to iterate this procedure. Of course, we restrict our attention to TA in the class dTA for 
which the SNNI- VP is decidable. 

Let A — (Q, qo, X, E/jUEj, E, Inv) be a TA s.t. A\Eh is deterministic. The idea of the reduction follows from the following 
remark: we want to find a controller C s.t. C(C(A)\S h ) = C(C(A)/T, h ). For any controller C we have C(C(A)\T, h ) C 
C(C(A)/E h ) because each run of C(A)\E h is a run of C{A)/Y> h ). To ensure SNNI we must have C(C(A)/Y. h ) C C(A\E h ): 
indeed, A\Eh is the largest language that can be generated with no E^ actions, so a necessary condition for enforcing SNNI 
is C{C{A)/Yih) C C(A\Eh). The controller C(A) indicates what must be pruned out in A to ensure the previous inclusion. 
Our algorithm thus proceeds as follows: we first try to find a controller C 1 which ensures that £(C 1 (yl)/S/ l ) C £(A\E/j). 
If £(C 1 (A)/I]; l ) = C(A\Hh) then C 1 is the most permissive controller that enforces SNNI. It could be that what we had to 
prune out to ensure £(C 1 (A)/E/ l ) C C(A\Hh) does not render C 1 (A) SNNI. In this case we may have to iterate the previous 
procedure on the new system C 1 (A). 

We first show how to compute C 1 . As A\E/j is deterministic, we can construct A2 = (QU{qbad}, <Zoi -^2, E^UE;, E% % Inv2) 
which is a copy of A (with clock renaming) with qt, a d being a fresh location and s.t. A2 is a complete {i.e., £(^2) = TE*) version 
of A\Eh (A2 is also deterministic). We write last^(w) the state (q, v) reached in A2 after reading a timed word w £ TE*. A2 
has the property that w £ £(A\E^) if the state reached in A2 after reading w is not in Bad with Bad = {(qbad, v) \ v £ K+ }■ 

Fact 1. Let w £ TE*. Then w g C{A\£ h ) last 2 (w) £ Bad. 

We now define the product A p = A x A2 and the set of bad states, Bad® of A p to be the set of states where A2 is in Bad. 
— > p denotes the transition relation of the semantics of A p and the initial state of A p . When it is clear from the context we 
omit the subscript p in — s> p . 

Lemma 3. Let w £ C(A). Then there is a run p £ Runs{A p ) s.t. p = s p ~^t P s with s £ Bad® iff proj Sj (w) C(A\Eh). 

The proof follows easily from FactQ] Given a run p in Runs(A p ), we let p\i be the projection of the run p on A (uniquely 
determined) and p\ 2 be the unique rurU in A2 whose trace is proj S; (trace(p)). The following Theorem proves that any 
controller C s.t. C(A) is SNNI can be used to ensure that Bad® is not reachable in the game A p : 

Lemma 4. Let C be a controller for A s.t. C{A) is SNNI. Let C® be a controller on A p defined by C®(p') = C{p', 1 ). Then, 
Reach(C®(A p ))nBad® = 0. 

Proof: First C® is well-defined because pL is uniquely defined. Let C be a controller for A s.t. C(A) is SNNI. Assume 
Reach(C® (A p )) CiBad® ^ 0. By definition, there is a run p' in Runs(C®(A p )) such that: 

P = ((«0,9o),(tf,0)) ^ ((ln,q' n ),(Vn,v' n )) 

{(qn+l,q' n +l),(Vn+l,v' n+1 )) 

with ((g„ + i, q' n+ i), (v n +i , v' n+1 )) £ Bad® and we can assume (q[,v'^j Bad for 1 < i < n (and q$ £ Bad). Let p = p'^ 
and w = proj S; (trace(p')) = proj Sj (trace(p)). We can prove (1): p £ Runs(C(A)) and (2): w $ £(C(A)\Hh)- (1) directly 
follows from the definition of C®. This implies that w £ £(C(A)/E^). (2) follows from Lemma|3] By (1) and (2) we obtain 
that to S C{C{A)/Y, h ) \ C(C(A)\E h ) i.e., C(C(A)/T, h ) ^ C(C(A)\E h ) and so C{A) does not have the SNNI property 
which is a contradiction. Hence Reach(C® (A p )) HBad® = 0. ■ 
If we have a controller which solves the safety game (A p , Bad®), we can build a controller which ensures that £(C(A)/E/ l ) C 
C(A\Eh). Notice that as emphasized before, this does not necessarily ensure that C(A) is SNNI. 

Lemma 5. Let C® be a controller for A p s.t. Reach(C® (A p )) DBad® = 0. Let C(p) = C®(p') if pL = p. C is well-defined 
and C(C(A)/E h ) C C{A\E h ). 

Proof: Let p = (qo,0) (qi,v\) ■ ■ ■ (q n ,v n ) be a run of A. Since A2 is deterministic and complete there 
is exactly one run p' = {(q ,q ), (0,0)) ((qi,q[), (vi,«0) ^ ((fc.Oi ( v n,v' n )) in A p s.t. = p. So C is 

well-defined. Now, assume there is some w £ £(C(A)/E^) \ C(A\Eh)- Then, there is a run p in 7?m«s(C(A)) C Runs(A) 
s.t. proj S; (trace(p)) = w, there is a unique run p £ Runs(A p ) s.t. pjj = p and trace(p') — to. First by Lemma[3] last(p') £ 



3 Recall that A2 is deterministic. 
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Fig. 10. The Automaton 



Sad®. Second, this run p' is in /?Mns(C (ylp)) because of the definition of C. Hence Reach(C® (A p )) C\Bad® ^ which is 
a contradiction. ■ 

It follows that if C® is the most permissive controller for A p then C(A) is a timed automaton (and can be effectively 
computed) because the most permissive controller for safety timed games is memoryless. More precisely, let RG(A V ) be the 
the region graph of A p . C is memoryless on RG(A p \Sh) because A2 is deterministic. The memory required by C is at most 
RG(A\£h) on the rest of the region graph of RG(A p ). 

Assume the safety game (A p ,Bad®) can be won and C® is the most permissive controller. Let C be the controller obtained 
using Lemma[5] Controller C ensures that £(C(A)/£/j) C £(A\£/j). But as the following example shows, it may be the case 
that C(A) is not SNNI. 

Example 9. Consider the TA K of Figure \TU\with E^ = {h} and E c = {a}. 

We can compute C(K) from C® which satisfies Reach(C®(K Xj;, K2)) C\Bad® = 0, and is given by the sub-automaton of 
K with the plain arrows. C(K) is obviously not SNNI. For the example of A(\) in Figure^ if we compute C in the same 
manner, we obtain C{A(1)) — A(2) and moreover C(C(A(1))/T,h) = C(A(l)\Sh). And then the most permissive sub-system 
which is SNNI is given by C(A(1)) = A(2) (the guard x > 1 of A(l) is strengthened). 

The example of Figure [10] shows that computing the most permissive controller on A p is not always sufficient. Actually, we 
may have to iterate the computation of the most permissive controller on the reduced system C(A). 

Lemma 6. Consider the controller C as defined in Lemma\5\ If C(A)\Sh ~c A\Sh then C(A) is SNNI. 

Proof: If C(A)\E h « £ A\Z h , then, C(C(A)/E h ) C C(A\E h ) = £(C(A)\Z h ). As C(C(A)\E h ) C C(C(A)/E h ) is 
always true, C{C{A)/T, h ) = C{C{A)\T, h ) and so, C{A) is SNNI. ■ 

Let _L be the symbol that denotes non controllability (or the non existence of a controller). We inductively define the sequence 
of controllers C l and timed automata A 1 as follows: 

. let C° be the controller defined by C°{p) = 2 ScU ^ A > and A = C°(A) = A; 

• Let A p — A 1 Xe, A\ and Cf +1 be the most permissive controller for the safety game (A l p ,Badf) (± if no such controller 
exists). We use the notation Bad® because this set depends on A\. We define C l+1 using Lemma|5] C l+1 (p) = Cf +1 (p') 
if p\ x = p. Let A t+1 = C l+1 {A l ). 

By Lemma |U if C i+1 (A l )\S, i « £ A l \Z h then C l+1 (A l ) is SNNI. Therefore this condition is a sufficient condition for the 
termination of the algorithm defined above: 

Lemma 7. There exists an index i > 1 s.t. C l (A 1 ^ 1 ) is SNNI or C l = L. 

Proof: We prove that the region graph of C l+1 (A % ) is a sub-graph of the region graph of C 1 (A°) for i > 1. By Lemma 
(and the remark following it), C 1 (A°) is a sub-graph of RG(A x A2). Moreover C 1 is memoryless on A\Hh an d requires a 
memory of less than \RG(A\Eh)\ on me remaining part. Assume on this part, a node of RG(A xi 2 ) is of the form ((q, r), k) 
where q is a location of A and r a region of A and k e {1, \RG(A\Y,i l )\}. 

Assume RG(A k ) is a sub-graph of RG{A k - 1 ) for k > 2 and RG(A k - 1 \j: h ) is sub-graph of RG(A\E h ). Using Lemma|5] 
we can compute A k = C k (A k ~ 1 ) and: (1) RG{A k \Z h ) is a sub-graph of A k ~ x \i: h and (2) the memory needed for C® on 
the remaining part is less than \RG(A k ~ 1 )\. Actually, because A k ~ 1 \Y,} l is deterministic, no more memory is required for 
C k . Indeed, the memory corresponds to the nodes of A k \Sh- Thus a node of RG(A k ) which is not in RG(A k \T,h) is of the 
form ((q, r), k, k') with k = k' or k' = qbad- This implies that RG(A k ) is a sub-graph of RG(A k ~ 1 ). 

The most permissive controller Cf will either disable at least one controllable transition of A l J f 1 \T,h or keep all the 
controllable transitions of A^ 1 ^. In the latter case A l \Y< h = A*- 1 \Efe and otherwise \RG(A l \T, h )\ < |i?G(A l - 1 \E /l )|. 
This can go on at most \RG(A\Y, h )\ steps. In the end either A*\E/, = A i ~ 1 \'E h and this implies that A i \E/ t w £ A i_1 \Eh 
(Lemma|6]l or it is impossible to control A l ~ x and C l = _L. In any case, our algorithm terminates in less than \RG(A)\ steps. 

■ 

To prove that we obtain the most permissive controller which enforces SNNI, we use the following Lemma: 
Lemma 8. If M is a controller such that C(M(A)/E h ) = £(M(A)\E h ), then Vi > and Vp G Runs(A), M(p) C C^p). 



Proof: The proof is by induction: 
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• for i = it holds trivially. 

• Assume the Lemma holds for indices up until i. Thus we have Runs{M (A)) C Runs(A % ). Therefore, we can define M over 
A i and M(A l ) is SNNI. By Lemma gj M® is a controller for the safety game (A p ,Badf), therefore M®(p') C C® ^p') 
because is the most permissive controller. This implies that M(p) C C l+1 (p) by definition of C 4+1 . 

■ 

Using Lemma [7] the sequence C % converges to a fix-point. Let C* denote this fix-point. 

Lemma 9. C* is the most permissive controller for the SNNI-CSP. 

Proof: Either C* — _L and there is no way of enforcing SNNI (Lemma gji, or C* / 1 is such that C(C*(A)/Y,h) = 
C(C*(A)\E h ) by Lemma|5] As for any valid controller M such that C(M(A)/T, h ) = C(M(A)\S h ) we have M{p) C C*(p) 
for each p G Runs(A) (Lemma [8) the result follows. ■ 
Lemma [7] proves the existence of a bound on the number of times we have to solve safety games. For a timed automaton 
A in dTA, let \A\ be the size of A. 

Lemma 10. For a dTA A, C* can be computed in 0(2 4 I A I). 

Proof: As the proof of Lemma [7] shows, the region graph of A 1 is a sub-graph of the region graph of A 1 , Mi > 1, 
and the algorithm ends in less than \RG(A)\ steps. Computing the most permissive controller for A p avoiding Badf can 
be done in linear time in the size of the region graph of A p . As RG(A Z ) is a sub-graph of RG{A 1 ), RG(A p ) is a sub- 
graph of RG(Ap). So we have to solve at most |i?G(A)| safety games of sizes at most \RG(A p )\. As A 1 is a sub-graph of 
A° p = A x Si A%, IRGiA 1 ^ < \RG(A)\ 2 . And as A) } = A 1 x Si A\, \RG(A p )\ < \RG(A)\ 3 . So, C* can be computed in 
0{\RG{A)\.\RG{A 1 p )\) = 0{\RG{A)\ i ) = 0{2 i -\ A \). ' ' ■ 

Theorem 6. For dTA, the SNNI-CP and SNNI-CSP are EXPTIME- complete. 

For the special case of finite automata we even have: 

Lemma 11. For finite automata C* — C 2 . 

Proof: We know that C{C 2 {A)\Y> h ) C £(C* 1 (A)\E, l ). Suppose that 3w s.t. w G C(C l (A)\E h ) and w C(C 2 (A)\E h ) 
(w cannot not be the empty word). We can assume that w = u.l with u G E ; *, I G S; n E c and u G £(C 1 (A)\S? l ) 
and u.l C(C 2 (A)\Eh) (I is the first letter which witnesses the non membership property). If I had to be pruned in the 
computation of C 2 , it is because there is a word u.l.m with m £ E* s.t. proj E (u.l.m) G £(C 1 (A)/S/ l ) but proj s (u.l.m) ^ 
Ci&WXEh). But by definition of C 1 , ^C 1 (A)/E fc ) C C(A\E h ) (Lemma 01 and thus proj El (u./.m) G C(A\E h ). As 
it.i G Ef, proj S( (u.l.m) — u.Z.proj Si (m) and proj S( (m) G E*. Since u./ G £(C 1 (A)\E^) and proj S( (m) G E*, we 
have tt.Z.projjj (m) G C(C 1 (A)\E} 1 ) which is a contradiction. Thus C(C 2 (A)\J^h) — ^■(C 1 (A)\J^h) which is our stopping 
condition by lemma [6] and thus C* — C 2 . ■ 
It follows that: 

Theorem 7. For a finite automaton A in dTA (i.e. such that A\T,h is deterministic), the SNNI-CSP is PSPACE-complete. 

As untimed automata can always be determinized, we can extend our algorithm to untimed automata when ^4\E^ non- 
deterministic. It suffices to determinize A l 2 ,i = 1,2: 

Theorem 8. For a finite automaton A such that A\T,h is non deterministic, the SNNI-CSP can be solved in EXPTIME. 

Proposition 3. There is a family of finite automata (Aj)j>o such that: (i) there is a most permissive controller D* s.t. D*(Ai) 
is SNNI and (ii) the memory required by D* is exponential in the size of A{. 

Proof: 

Let A be a finite automaton over the alphabet E. Define the automaton A' as given by Figure QT| Assume the automaton 
B is the sub-automaton of A' with initial state q' . We take E/, = {h} = E u and E; = E = E c . The most permissive 
controller D s.t. D(A') is SNNI generates the largest sub-language of C(A') s.t. C(A'\E h ) = £(A' /T, h ) and thus it generates 
C(A) = C(A'\E h ). 

The controller D is memoryless on A'\Eh as emphasized in Lemma|5] It needs finite memory on the remaining part i.e., on 
B. The controller D on B gives for each run a set of events of E that can be enabled: D(qo q' a — q' Q ) = X with 
w G E* and X C E;As B is deterministic, D needs only the knowledge of w and we can write D(hw) ignoring the states of 
A 1 . For B we can even write D(w) instead of D(hw). Define the equivalence relation = on E* by: w = w' if D(w) — D(w'). 
Denote the class of a word w by [w]. Because D is memory bounded, E* = is of finite index which is exactly the memory 
needed by D. 

Thus we can define an automaton D/= = (M, niQ,T,,— >) by: M — {[w] \ w G E*}, mo = [e], and [w] — [wa] for 
a G D(hw). D/= is an automaton which accepts C(A) (and it is isomorphic to D(B)) and the size of which is the size of D 
because B has only one state. This automaton is deterministic and thus D/= is also deterministic and accepts C(A). There is a 
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Fig. 1 1 . Automaton B 

family (A;);>o of non-deterministic finite automata, such that the deterministic and language-equivalent automaton of each Ai 
requires at least exponential size. For each of these A, we construct the controller £)y_ as described before, and this controller 
must have at least an exponential size (w.r.t. to Ai). This proves the EXPTIME lower bound. ■ 
In this section we have studied the strong non-deterministic non-interference control problem (SNNI-CP) and control synthesis 
problem (SNNI-CSP) in the timed setting. The main results we have obtained are: (1) the SNNI-CP can be solved if A\Eh can 
be determinized and is undecidable otherwise; (2) the SNNI-CSP can be solved by solving a finite sequence of safety games 
if A\T,h can be determinized. We have provided an optimal algorithm to solve the SNNI-CP and CSP in this case (although 
we have not proved a completeness result). 





A Timed 
A\S h Non-Det. 


Automaton 

A\T, h Det. 


A Finite 1 
A\T, h Non-Det. 


Vutomaton 

A\S h Det. 


SNNI-CP 


undecidable (Theorem |3) 


EXPTIME-C (Theorem |6) 


PSPACE-C (Theorem |4J 


PTIME (Corollary [3) 


SNNI-CSP 


undecidable (Theorem |3) 


EXPTIME-C (Theorem |6) 


EXPTIME (Theorem [8) 


PSPACE-C (Theorem |7J 



TABLE III 

Summary of the Results for SNNI-CP and SNNI-CSP 



The summary of the results is given in Table [TTTJ 

VI. BSNNI and CSNNI Control Problems 

In this section, we will show that for more restrictive non-interference properties (CSNNI and BSNNI) the control problem 
presents a major drawback: in the general case, there is no most permissive controller. 

The CSNNI-ConfroZ Problem CSNNI-CP (respectively BSNNI-ConfroZ Problem BSNNI-CP) we are interested in is the 
following: 

Is there a controller C s.t. C{A) is CSNNI (respectively BSNNI) ? (CSNNI-CP, BSNNI-CP) 

The CSNNl-Controller Synthesis Problem CSNNI-CSP (respectively BSNNl-Controller Synthesis Problem BSNNI-CSP) 
asks to compute a witness when the answer to the CSNNI-CP (respectively BSNNI-CSP) is "yes". 

A. CSNNI-CP and CSNNI-CSP 

Theorem 9. For finite automata the CSNNI-CP is in PTIME. 
Proof: 

Let A, be a finite automaton, we show that there exists a controller C such that C(A) is CSNNI if and only if A\E C is 
CSNNI. 

The // direction is obvious: the controller Cy that prevents any controllable action from occurring is defined by: C\/(p) = 0, 
Vp £ Runs(A). It is easy to see that C\/(A) is isomorphic to A\Y. C and thus bisimilar. 

This only if direction is proved as follows: let A\ and A2 be two finite automata over alphabet E e such that A\ weakly 
simulates A 2 . Consider A[ = ^4i\{e} and A' 2 = A2\{e] for e e E. Clearly, A[ simulates A' 2 (by definition of the simulation 
relation). 

Therefore, if there exists C s.t. C{A) is CSNNI, then so is C(A)\T,' for any £' C E. It follows that C(A)\E C must be 
CSNNI. 

The CSNNI-CP reduces to the CSNNI- VP which is PTIME for finite automata. 

■ 

Theorem 10. For the class of deterministic finite automata, the CSNNI-CSP is PSPACE-complete. 

Proof: By Lemma [2] for deterministic automata, SNNI is equivalent to CSNNI. Hence the CSNNI-CSP is equivalent to 
the SNNI-CSP which is PSPACE-complete by Theorem ■ 
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h,x > 4 
9o »► 92 



£i,x > 1 



(a) The automaton A 
Fig. 12. Counterexample of theorem [9] in timed setting 
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(b) The automaton C(A) 
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(a) Automaton Ci(A c ) 
Fig. 13. Automata Ci(A c ) and C2(A C ) 
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(b) Automaton C2(A C ) 
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In the timed setting, the previous reduction to a verification problem cannot be applied as illustrated by the following 
example [TOl 



Example 10. Let A be the deterministic timed automaton given in figure \12(aj\ with E; = {£±,£2}, E/j = {h} an d E c = {^i}. 
A\E C is neither CSNNI nor SNNI (here SNNI and CSNNI are equivalent since A is deterministic). However there exists a 
controller C such that C(A) is both CSNNI and SNNI. C(A) can be given by the timed automaton given in figure \12(b)\ 

However for the timed automata in dTA, thanks to Lemma [2] and Theorems [6] and [7] we have: 

Theorem 11. For timed automata in dTA, the CSNNI-CP and CSNNI-CSP are EXPTIME- complete. 

Proof: By Lemma |2] the CSNNI-CP/CSNNI-CSP is equivalent to the SNNI-CP/SNNI-CSP for dTA and by Theorem HI it 
follows that CSNNI-CP and CSNNI-CSP are EXPTIME-complete. ■ 
Moreover, for dTA, thanks to the algorithm of section [V] there always exists a most permissive controller for CSNNI. However 
we will now show that there is a non-deterministic finite automaton s.t. there is no most permissive controller ensuring CSNNI. 

Proposition 4. There is no most permissive controller ensuring CSNNI for the finite automaton A ^ dTA of figure \5( a)\ ( i. e. 
such that Ay^h is non deterministic) with E/j = {h}, = {^1,^2,^3} and E c = {^2,^3}- 

Proof: 



Let A c be the finite automaton of figure |5(a)| with E?> = {h}, E/ = {^1,^2,^3} and E c = {£ 2 ,M- ^ dTA since A c \T, h 
is non-deterministic. This automaton is not CSNNI. The controllers C\ and C2 of figure Qj] make the system CSNNI. However 
(Ci U C2){A C ) = A c is not CSNNI and, by construction is the only possible controller more permissive than C\ and C2. 
Therefore, there is no most permissive controller ensuring CSNNI for A c with E c . 



B. BSNNI-CP and BSNNI-CSP 

We first show by example QT] that even if there exists a controller for a finite automaton A and a controllable alphabet E c 
ensuring BSNNI (i.e. the answer to BSNNI-CP is true), it is possible to have A\E C not BSNNI. 

Example 11. Let Ai be the finite automaton of figure [74] with E^ = {ft.1,/12} et E/ = {£}. This automaton is BSNNI, then 
the answer to BSNNI-CP is true for all E c . However, for E c = {/12}, the automaton ^4i\E c = A e is not BSNNI. 
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Fig. 14. The automaton Aj 
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(a) 

Automaton 



(b) Automaton C2(A e ) 



Fig. 15. Automata Ci(A e ) and C2(A e ) 



We will now prove that for deterministic finite automaton there is not always a most permissive controller that enforces 
BSNNI. This result is in contrast with CSNNI where a most permissive controller always exists for dTA. 

Proposition 5. There is no most permissive controller ensuring BSNNI for the deterministic finite automaton of figure \6(aj\ 
with S/, = {h}, E; = {£} and E c = {£, h}. 

Proof: 

Let A e be the deterministic finite automaton of figure [6(a)] with E^ = {h}, E; = {£} and E c = {£,h}. This automaton is 
not BSNNI. The controllers d and C 2 of figure [HI make the system BSNNI. However, (Ci UC 2 )(4 e ) = A e is not BSNNI 
and, by construction is the only possible controller more permissive than C\ and C?.. Therefore, there is no most permissive 
controller ensuring BSNNI for A e with E c . 





A Timec 
A\S h Non-Det. 


Automaton 

A\S h Det. 


A Finite , 
A\E h Non-Det. 


\utomaton 

A\S h Det. 


CSNNI-CP 


open 


EXPTIME-C (Theorem HI) 


PTIME (Theorem [9) 


PTIME (Theorem |9) 


CSNNI-CSP 


NMPC* (Proposition |4J 


EXPTIME-C (Theorem LLU 


NMPC* (Proposition |4) 


PSPACE-C (Theorem UPJ 


BSNNI-CSP 


NMPC* (Proposition |5) 


NMPC* (Proposition [5) 


NMPC* (Proposition |5) 


NMPC* (Proposition [5) 



* NMPC means that there not always exists a most permissive controller. 

TABLE IV 

Summary of the Results for CSNNI and BSNNI Control Problems 



The summary of the results for CSNNI and BSNNI Control Problems is given in Table IIVI 

VII. Conclusion and Future Work 

In this paper we have studied the strong non-deterministic non-interference control problem and control synthesis problem 
in the timed setting. The main results we have obtained are: (1) the SNNI-CP can be solved if A\E^ can be determinized 
and is undecidable otherwise; (2) the SNNI-CSP can be solved by solving a finite sequence of safety games if A\Eh can be 
determinized; (3) there is not always a least restrictive (most permissive) controller for (bi)simulation based non-interference 
even for untimed finite automata. However, there is a most permissive controller for CSNNI if A\T,h is deterministic and 
CSNNI-CP and CSNNI-CSP are EXPTIME-complete in this case in the timed setting. 

The summary of the results is given in Tables J] and [TT] for the verification problems and Tables [III] and [IV] for the control 
problems. 
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Our future work will focus on the CSNNI-CP (and BSNNI-CP) as even when there is no most permissive controller it is 
interesting to find one. Another future direction will consist in determining conditions under which a least restrictive controller 
exists for the BSNNI-CSP. 
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